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ABSTRACT 


This thesis investigates computer security considerations 
in distributed systems. In particular, it concentrates on 
assisting managers to gain an appreciation for what 
distributed systems are, and what are the inherent security 
issues in these systems. A survey of the literature on 
computer security was conducted to identify those issues 
unique to distributed systems. Although many controls are 
discussed, management must design and support a comprehensive 


security plan tailored to their unique organization. 
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sige INTRODUCTION 


Security threats and countermeasures are well identified 
for stand-alone computer system assets. Rapid technology 
advances, however, have changed the form and extent of 
connectivity between computer systems and enhanced the use of 
distributed architectures (Buchanan and Linowes, 1980). 
Distributed computer systems face the same potential threats 
as stand-alone systems plus additional threats stemming from 
their unique characteristics. Reasons for the increased 
security exposure may include: (Johnson and Layne, 1987; 


Muftic, 1989) 


® Geographic dispersion of computer system assets 


e Several organizations and management involved ina single 
network 


e Central control is difficult 
e Dissimilar computers and operating systems 
e More entities involved 


e Security exposure over a broader range of levels 


A comprehensive examination of threats to such systems, 
including those threats stemming from system connectivity is 
essential to any security plan. (Pfleeger, 1989) 

The main objective of any security plan is to operate 


systems at an acceptable level of risk. The scope of a 


security program should be commensurate with the value of the 
assets requiring protection. Typical grouping of these assets 
are hardware, software, data, personnel, documentation and 
supplies. A more extensive list of possible assets is 
provided in Appendix A and will be further discussed in 
Chapter III. 

Distributed system security employs management implemented 
countermeasures to ensure the protection of assets in a 
distributed environment. It provides assurances that the 
distributed system performs critical functions correctly. 
While security goals for stand-alone systems are well known, 
the goals unique to distributed systems are more complex and 
difficult to identify (IBM, 1987; Branstad, 1987). These 
goals include system integrity, connection confidentiality, 
originator/recipient nonrepudiation, access control, and 


denial of service. (COMNAVDAC, 1991; Stallings, 1990) 


System Integrity. System integrity provides for the 
integrity of all user data on all connections. It can be 
further broken down into three subcategories. The first 


involves the routing of data where data transmitted from any 
point ina network is received at the intended destination and 
nowhere else. The second involves the protection of data 
itself where the data received at any point in a distributed 
system is exactly the same in content as the data transmitted. 
It allows for the determination of whether the data has been 


modified, inserted, deleted, or replayed. Thirdlyaaewe 


guarantees that information, while in transit, cannot be 
observed, tampered with, or extracted from the distributed 
system by some unauthorized person or device. 

Connection Confidentiality. Provides IONS the 
confidentiality of all user data on a connection. 

Originator/Recipient Nonrepudiation. Another goal of 
distributed system security is to assure nonrepudiation. It 
provides the sender of data with proof of data delivery to 
protect against any attempt by the recipient to deny receiving 
the data. It also provides the data recipient with proof of 
data origin to protect against any attempt by the sender to 
deny sending the data. It must also allow for the sender of 
the data to verify that receipt was by (and only by) the 
authorized recipient. 

Access COnenrol., Access control guards against 
unauthorized access to a resource such as reading, writing, or 
deleting data. It guarantees that all physical components of 
the distributed system on the organization’s premise are 
accessible only to authorized individuals. Examples of 
physical components include terminals, terminal controllers, 
modems, nodes, data links, and telecommunication lines. 
Access control also detects and identifies any attempt to 
observe, tamper with, or extract information from the network 
by an unauthorized person or device. Once a Known violation 
has occurred an appropriate action can be taken to prevent 


future occurrences. 


Denial of Service Protection. Adequate alternate paths 
allow transmission of data between points in a distributed 
system where the need for transmission of data exists. These 
paths also ensure that alternate means of transmitting has 
been identified, implemented, and tested. For critical data, 
contingencies should address failure by the primary and backup 
paths. 

This thesis focuses on security threats unique to 
distributed systems. The investigation begins by identifying 
characteristics and assets of distributed systems. Security 
threats unique to distributed systems are then identified, 
with an analysis of possible countermeaSures for the 


identified threats. 


Il. DISTRIBUTED SYSTEM OVERVIEW 


A. DEFINITION 

There 1S not a universally accepted definition to the term 
distributed systems. Rather, it describes information systems 
with widely different architectures and characteristics. The 
absence of such a definition suggests that it 1S as much a 
point of view as aesystem type with distinguishing 
characteristics. There are two fundamental attributes that 
all distributed processing systems seem to have in common: 

(Lorin, 1988) 
1. There are multiple instances of stand-alone computer 

systems. 


2. The stand-alone systems can communicate electronically. 


When attempting to evaluate a system, a diagram can show 
how pieces of equipment are connected. Diagrams of the system 
meructure, or topology, can be helpful but do not fully 
describe the system. Four other important characteristics 


should also be included. (McNurlin and Sprague, 1989) 


1. Where the processing is performed 
2. What communication links are used 
3. Where the information is stored 


4. What rules or standards are in place 


B. MODES OF DISTRIBUTED PROCESSING 

Rapid technological advances continue co impact 
interconnect capability, processor Capacity, software 
methodology, and industry pricing structures. These changes 
have expanded the set of designs available in solving 
information processing problems (Ahituv and Sadan, 1985). The 
Significance of the distributed processing lies in the variety 
of systems choices allowing organizations to better fit the 
information system architecture to their own organizational 
structure (Buchanan and Linowes, 1980). Figure 1 displays the 
continuum of systems that exist between stand-alone and highly 


distributed systems. 
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Figure 1 Distributed System Continuum 


The following grouping of systems based on the degrees of 
the two fundamental attributes of multiple nodes’' and 


electronic communication are identified for comparison. 


Stand-alone Systems. A stand-alone system is one that can: 
be treated as a distinct entity. Bhere soe no -fOrm sof 
electronic communications to any other system. 

Tightly Coupled Systems. Tightly coupled systems are 
multiprocessor systems. They are a population of processors 
sharing addressing to memory and devices. This sharing is 
accomplished by utilizing single operating system. The 
existence of a single operating system results in the presence 
of a space-time coherence between the processors. A unit 
where space-time coherence exists can be managed as a single 
node. A node is an element of a computer network. 

Loosely Coupled Systems. The loose interconnection of 
computer systems comes very close to the concept of 
Gistributed processing by the attribute of multiple complete 
systems. They are systems connected over I/O pathways, 
traditionally distinct from networks. Many of these pathways 
differ from tightly coupled systems only in the physical sense 
that they do not share memory or operating systems. They may 
be functionally quite dependent, and as a result take on the 
characteristics of a single node, a single ‘system’, rather 
than an interconnection of two nodes. 

Networked Systems. There are many types of networks 
displaying a broad range of characteristics. They can vary 
from completely autonomous systems with the added ability to 
communicate electronically, to diskless workstations 


completely dependent on the network server for all secondary 


storage and communications operations. Each type of network 
has some unique set of properties that makes it attractive 
based on service provided, cost, reliability, serviceability, 
flexibility, etc. As well, each unique network possesses some 
set of properties that make it similar in nature to other 


network types. 


C. NETWORKED SYSTEM 

A second approach at identifying and grouping distributed 
systems can be accomplished through the examination of system 
structures. By this approach four system structures that 
qualify as distributed are identified. (McNurlin and Sprague, 
1989) 

A hierarchy of processors. This structure is typically 
the most common in larger information systems that have 
shifted toward increased distribution and end-user computing. 
Topographically, the largest computer resides at the top and 
personal computers or terminals at the bottom, as displayed in 
Figure 2. At least three possible schemes for data storage 
can be supported by this particular organization. First, all 
data can be stored at the top of the hierarchy. Secondly, 
master records can be stored at the top, with subsets at 
intermediate levels to support lower level processing. 
Thirdly, master records can be stored where they are most used 
and provide updated records to the top of the hierarchy for 


backup purposes. 
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Figure 2 Hierarchy of processors. 


A network of cooperating workstations. This structure is 


common for current office systems. An example is displayed in 





Figure 3. 
Printers 
Figure 3 Cooperating workstations. 
There is no particular hierarchy of processors. Any 


workstation can call on another workstation in the network for 


data or service, provided it is authorized to do so. 


IHG 


Decentralized stand-alone systems. Decentralization is 
the dedication of applications to systems in such a way that 


systems do not interact with each other as shown in Figure 4. 


Decentralized System 





Figure 4 Decentralized stand-alone 
systems. 


It occurs when applications that have traditionally been 
sharing a large machine are moved to several smaller systems. 
This is frequently seen in organizational information systems 
originally designed in the 1960’s where many small data 
centers existed within a large organization. These 
independent systems have been subsequently modernized to allow 
a little data to flow among the decentralized systems, but 


mostly in an upward direction toward corporate management. 
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Office systems that communicate with data processing. 
This structure is a hybrid of two other identified structures. 
As displayed in Figure 5, it is a combination of the hierarchy 
approach (for Data Processing) and the network of cooperating 


workstations (for office systems). 


Printers 
a 





pe__\ \_¥ 
Personal Computers / Workstations 





Figure 5 Office systems that communicate 
With data processing 


Each of these four network architectures discussed 
previously need additional specification to describe fully the 


degree to which it is distributed. These additional factors 


are. 
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Distributed processing. An important distinction must be’ 
made between decentralized and distributed processing. 
Distributed processing contains some concept of system, of 
node relations, dependency, and interaction. It provides for 
the processing of an application on a computer that is located 
outside the corporate data center and operates on a network. 
In its ideal form it is a mapping of a single application 
across several nodes. The goal is to move processing closer 
to the user or to use different machines to do the part of a 
job each does best. A distributed system is a system in the 
sense that there is interaction, cooperation, and some form of 
dependency between nodes. 

One current form of distributed processing is based on the 
concept of cooperative processing. These systems operate by 
dividing processing between two or more geographically 
dispersed nodes. After completion of processing, one node 
sends data to another node for further processing. 

All forms of distributed processing are dependent on the 
cooperative effort of the system’s nodes. More advanced forms 
of distributed processing are possible with increased 
interoperability. Interoperability is the capacity for nodes 
using different operating systems and different hardware 
platforms protocols to work together on the same task. Node 
interoperability can be supported in two forms: 


e Transparent communication between system applications 
using system protocols. 
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e The interactive or two-way flow of messages between user 
applications. 

Connectivity among processors. Each processor ato a 
distributed system can send data and messages to any other 
processor through electronic communication linkages. A clear 
trait of electronic communication is that as distance grows, 
the communication gets slower, less reliable, and more 
expensive. Breakpoints based on distance have been accepted 
because of orders of magnitude differences in speed and 
reliability. These are often grouped as : In-Frame, Bus, 
Local-Area, Metropolitan-Area, and Wide-Area, and Global 
Interconnection. Emerging communications technology is 
beginning to provide interconnect pathways at speeds 
sufficient to blur the importance of physical distance. The 
reliability of node interconnection is also dependent on the 
availability of alternate communication paths. 

Distributed databases. As seen in the discussion of 
systems displaying a hierarchy of processors, the location of 
data storage is an important design consideration. Two 
possible avenues are available based on the duplication of 
data. The first is dividing a database and distributing its 
portions throughout a system without duplicating the data. 
Any portion of the data should be accessible from any node, 
subject to access authorizations. Data location is 
transparent to users, it is the system’s responsibility to 


know where all data is stored. The second possible avenue is 
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based on distributed duplicate data. In this approach the 
same data is stored at several locations, although one site 
generally contains the master file. Here, the system is 
responsible for synchronizing data which can be a significant 
problem. 

System-wide rules. The shift away from centralized 
systems and toward distributed systems is making connectivity 
more important than in the past. This shift permits greater 
control of operations by components of an organization, yet 
can potentially degrade connectivity. Operating discipline 
for the entire distributed system needs to be developed and 
enforced at all times. These rules include intercommunication 
between nodes, security, data accessibility, program and file 


transfer, and common operating procedures. 


ss: 


III. DISTRIBUTED SYSTEM ASSETS AND THREATS 


There is an interrelationship between assets and potential 


threats (see Figure 6). 
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Figure 6 Relationship Between Assets, 
Threats, and Countermeasures. 


Security plans are a tailored application of countermeasures 


to protect assets against threats. 
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A. ASSETS 

An asset 1s any resource of value to an organization. 
Some assets are easily defined or tangible. Other assets are 
meme difficult to identify. Types of information system 
assets are grouped as hardware, software, data, facilities, 
personnel, documentation and supplies (Pfleeger, 1989). 
Examples of assets within each of the identified categories 


are: 


e Hardware: Storage devices such as disk and tape drives. 
e Software: System utilities. 
e Data: Confidential or proprietary information. 


e Facilities: Environmental systems such as slig 
conditioning. 


e Personnel: Systems analysts or consultants. 
e Documentation: Of security policy test and evaluation. 


e Supplies: Paper and printer ribbons. 


For a more complete list of potential system assets, see 
Appendix A (COMNAVDAC, 1991). The degree with which a system 


is distributed changes the scope and value of these assets. 


B. THREATS 

A threat is a circumstance that has the potential to cause 
loss or harm. (Pfleeger, 1989) Threats exhibit varying 
degrees of detectability and controllability. Fire is an 


example of a threat which is easily detectable and 
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controllable. Natural disasters such as floods are easily 
detected but difficulGato coneno® Wiretapping lines of 
communication or infection by computer virus are examples of 
threats which are neither easily detected nor controlled. 
As in a stand-alone system, threats in a distributed 
environment may impact assets in four ways: (COMVAVDAC, 1991) 
® Modification: Altering an asset by changing its 
representation or adding more to the representation. 
e Destruction: The asset 1S not reparable or recoverable. 


e Disclosure: Information is accessed by or released to 
someone lacking a need-to-know. 


e Denial of services: Resources are unavailable to 
authorized users. 

Distributed systems have complicated computer security. 

As computer systems are moved from their well protected 

centralized facilities to unprotected offices, there is an 

increase in the vulnerability of these systems. Among the 

features of distributed systems that lead to vulnerabilities 


are: (McNurlin and Sprague, 1989; Johnson and Layne, 1987) 


e The distribution of hardware 

e The distribution of software 

e The distribution of data 

e The distribution of computer expertise 
e The distribution of documentation 

e The distribution of output 


e Different security policies 
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e Different interfaces 

e Incompatible security architectures 

e Composite risks 

e Lack of strong technical history in network security 


e External exposure of communications media and facilities 


Distributed systems move the actual processing capability 
to end users. End users gain physical and logical control of 
many assets once under the control of the computer or 
information systems department. This shift in control often 
entails a shift in responsibility for protection of the 
system’s assets. (Ahituv and Sadan, 1985) The same assets 
present in centralized systems are present in distributed 
systems. It is the change in the environment that leads to 
changes in threats to the system. (McNurlin and Sprague, 1989) 

Some assets are easily valued by purchase or development 
costs. The valuation of other assets, such as information, is 
organizationally dependent. (Clark and Wilson, 1987) An 
examination of distinct approaches by the Department of 
Defense (DOD) and major corporations can highlight this 
dependency. (Chalmers, 1986) 

The DoD has prioritized potential impacts of threats and 
has placed disclosure of information as its top concern. 
(Winters, 1990) It also has a long standing and highly 
formalized methodology for the classification and protection 


of information. Management has determined the value of the 
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information. The classification of information processed and 
the type of access allowed dictates what pre-defined minimum 
security requirements must be met by any system. System 
managers must use available technology to meet these difficult 
goals (if possible) without regard to cost or impact of the 
countermeasures on the organization. (Johnson and Layne, 1987) 

The corporate approach has prioritized potential impacts 
by threats on its assets and has’ placed modification 
(integrity) of information as its top concern. (Winters, 1990) 
Corporations tend to treat information as an asset with an 
identifiable financial value. It is a management decision to 
value information and to decide what countermeasures are cost 
efficient. Management must also consider the countermeasure’s 


impact on organizational operations. (IBM, 1987) 


C. SOURCES OF THREATS 

The environment in which information exists influences how 
threats may impact assets. A historical review of sources of 
exposure to financial loss can be useful in constructing a 
security plan. These exposures can vary significantly 
depending upon the nature of the establishment and the degree 
of management controls in place. One example of such reviews 
was conducted by IBM. This study shows that personnel within 
the organization may be the greatest source of threats. (IBM, 
1987) A similar study recently conducted further demonstrates 


that personnel with approved access represented the greatest 
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threat to information systems. (Jackson, 1990) A summary of 


the report is shown below: 


e Insider threats: 70% to 80% of Annual Dollar Loss 
e Physical threats: 20% to 25% of Annual Dollar Loss 


e Outsider threats: 1% to 3% of Annual Dollar Loss 


The shift toward end-user computing and distributed systems 


Make security by physical isolation impracticable. 


D. ATTACKS ON INFORMATION IN TRANSIT 

Attacks against information may occur while in transit or 
in storage (see Figure 7). Controls designed to protect 
information in storage are well understood. The same 
countermeasures applicable to stand alone systems are also 
applicable to distributed systems. 

Information in transit is inherently insecure because the 
telecommunication process itself is insecure. Both 
information in transit and the telecommunication process are 
insecure for two reasons. First, the telecommunication 
service provider has been isolated from any legal obligation 
to protect the confidentiality of the information that moves 
through its facilities. Secondly, securing data 
communications would require both investment and technical 
innovation by telecommunication service providers. (Menkus, 


1990) 


Z1 











Figure 7 Information is storage and in 
transit. 


Information in transit attacks may be grouped into the general 
categories of passive and active attacks. (Muftic, 1989; 
Stallings, 1990) 

Passive attacks are designed to disclose information. It 
may involve content learning where information is observed as 
it passes through communication channels without altering its 
contents. Passive attacks may also involve the analysis of 
message traffic patterns on communication channels’ by 
examining the location and identity of users, or message 
length and frequency. (Stallings, 1990) Traffic analysis can 
provide valuable information even though the contents of the 
messages are protected. 

Active attacks may involve disclosure, modification, or 
destruction of information. Message stream modifications 


results from selectively inserting, replaying, or modifying 
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messages. It may also involve the deletion, delay, and order 
change of messages. Services may by denied by delay or 
discard of all the messages. 

In general, pasSive attacks are more difficult to detect 
but are easier to prevent. Active attacks are easier to 
detect but are more difficult to counter. 

The three most significant threats to telecommunication 
facilities have remained consistent over the past 75 years. 
They are people, adverse weather, and accidental destruction 
of telecommunication facilities. (Menkus, 1990) 

e People may misuse facilities by committing unauthorized 
access or by avoiding the payment of user fees and 
charges. 

e Telecommunication facilities are vulnerable to natural 
disasters such as floods, ice storms, blizzards, 
earthquakes, tornadoes, and hurricanes. 

e Accidental destruction of telecommunication facility is 
usually as a result of a fire that affects either the 
installed telecommunication circuits or the structure in 
which the switching facility is located. 
Telecommunication cables strung outdoors on poles are 


commonly placed along a major highway where they may be 
struck and damaged. 


E. OPPORTUNITY OF THREATS 
In comparing threats and assets, the opportunity for a 
successful attack may be dependent on time. One approach to 


examining the effect of time is by dividing computer operation 
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into stages. Five stages are presented to indicate possible 
points of vulnerability. They are: (Bequai, 1983) 
1. Input - when information is translated into a language 
that the computer understands. 


2. Output- Often taking the form of thefts of data, customer 
lists, personnel lists, trade secrets, marketing plans, 


projected earnings, and other valuable confidential 
information. 
3. Programming - the introduction of the step-by-step 


instructions for solving the many problems it will later 
encounter. 


4. Usage- Abuse and theft involving the unauthorized use of 
an employer’s computer. 


5. Transmission - Transmission of data back and forth 
between computers or computers and remote terminals. 
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Iv. ANALYSIS OF COUNTERMEASURES 


A countermeasure is any action, procedure, technique, 
device or other measure that reduces the vulnerability of a 
computer system to the realization of ae threat. A 
vulnerability is a weakness in the protective measures that 
can be exploited to cause harm or loss. (COMNAVDAC, 1991) An 
example of a vulnerability is inadequate fire protection. For 
the purposes of this thesis, the terms countermeasure and 
control are used interchangeably. 

Countermeasures may be conceptualized as performing three 
basic functions. These functions are prevention, detection 
and correction of threats. (Bynon, 1990) A particular 
countermeasure may exhibit more than one of the three basic 
functions. It may also protect more than one type of asset 
against more than one type of threat. (Ahituv and Sadan, 1985) 

Most countermeasures used in stand-alone systems apply to 
systems exhibiting a higher degree of distribution. Sometimes 
they can be applied directly to distributed systems no matter 
what the degree of distribution. In other cases the 
application is very different. For purposes of discussion, 


countermeasures are grouped as follows: 


e Organizational controls 


e Personnel controls 


25 


e Environmental controls 

e Physical access controls 

e Logical access controls 

e Virus controls 

e Application development controls 
e Communication controls 

e Electronic emanation controls 


e Contingency planning and backup controls 


These controls can be used to meet the security goals 
unique to distributed systems identified in Chapter I. 
Methodologies for applying these countermeasures will be 
reviewed in Chapter V. While the groups of controls could be 
applied to any information system, distributed or not, the 
emphasis will be on the application of these controls to the 
specialized requirements of a distributed environment. (IBM, 
1987) 

Each system node must assess its own particular needs and 
practical countermeasures. In large distributed systems, an 
organization may not be able to dictate policy to other nodes 
on a network or to common communication carriers. In such 
cases additional countermeasures must be considered to provide 


continued system operation. (IBM, 1987) 
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A. ORGANIZATIONAL CONTROLS 

Organizational controls are policies and guidelines 
established by the highest levels of management. They are 
strategic in nature in that they dictate policy organization- 
wide and impact how an information system will be used. It is 
how management demonstrates its commitment (fulfills its 
responsibility) to the protection of the organization’s 
information system assets. Examples are the establishment of 
personnel controls or an asset ownership/responsibility 
policy. 

Management Commitment/Responsibility. The formulation of 
security policies and procedures shows the commitment of 
higher level management to security. It also establishes that 
individuals will be held accountable for security. The 
designation of a security officer provides a central authority 
for issues dealing with security. Some functions of this 
position would be to answer security questions, interpret 
policy, and make security effective for the distributed 
system. (Rutledge and Hoffman, 1986) 

With increasing degrees of system distribution, the 
distinction between the traditional data processing person and 
the traditional user is being lost. Yet, management has a 
responsibility to its employees and to the organization. It 
must remove or at least minimize the potential for employees 
to compromise the system. This includes the responsibility to 


reduce temptation as well. To fulfill its responsibility 
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management must establish personnel guidelines, which is 
addressed under personnel controls. 

Considerations when establishing organization-wide 
controls. Organizational controls might apply across several 
divisions within an organization or across’~ several 
organizations. When establishing organizational-wide 


controls, management: 


e Must consider organizational culture and different needs. 


e Must acknowledge the desire for each organizational entity 
to set their own standards. 


e Identify who is the network (system) administrator. 
e Address who defines minimum security requirements. 


e Establish a Memorandum Of Agreement (MOA) for multiple 
organizations connected to the same distributed system. 


e Address the problem of connected networks and where 
differences in protocols, security controls are handled. 


Asset Ownership/Responsibility. As assets are moved from 
centralized systems to distributed systems the responsibility 
for these assets must move also. Responsibility is assigned 
for both physical assets and data ownership. 

Initiation and implementation of a data ownership program 
where none exists is not an easy task. Specifically 
designating responsibility for information is a task much 
broader than the computer processing area. It may have 


implications that involve management philosophy, such as how 
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the organization functions, and could influence the reporting 
structure in the enterprise. (IBM, 1986) 

Policy Establishment. Policies should establish periodic 
audits, password usage, and adequate backup/recovery of 
distributed system resources. New system standards should 
include good security program documentation and operational 
procedures. They should also address source and compiled code 
library management, complete system specifications, and 
procedures to check input data for completeness, relevance, 
and accuracy. (Rutledge and Hoffman, 1986) 

Operational Procedures. Operational procedures are an 
example of organizational eee) They establish procedures 
for day to day operations on all nodes of the system. 
Traditional operational controls include such things as 
controlling errors, supervising error recovery, controlling 
forms and input/output media. 

Beyond selecting reliable system components, management 
should also implement good problem management techniques and 
procedures. Procedures for end users to log, monitor and 
correct errors over a broad geographic area or across 
organizations must be carefully designed. Unintentional 
errors by authorized users is already a major problem. The 
increase in end-user manipulation has the potential to 
increase these errors. End-users may not be able to recognize 


or correctly identify problems. 
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Magnetic media. Magnetic storage media is itself an 
asset. More importantly, the media is used to hold 
information assets. Centralized computer facilities develop 
and enforce rigorous media control policies. These policies 
address areas such aS media marking, storage, destruction, 
security, and accountability requirements. A list outlining 
possible policy components is included in Appendix B. 

Distributed systems distribute information. The lack of 
concentrated information storage, particularly for systems 
comprised of workstations or personal computers, often results 
in omitting control of magnetic media. Organizational policy 
must address the value of the media and information assets to 


select appropriate media controls. 


B. PERSONNEL CONTROLS 

Personnel controls are classified as a type of 
organizational controls. Personnel internal to the 
organization have been identified as the greatest risk group 
to an information system. It is aS an area where management 
can set policy to enhance the security of the system. These 
policies may include, for example, segregating duties or 
establishing criteria for employee selection and retention. 

The need. End-user computing is supported with increased 
distribution. Increased user processing capability also 
increases their ability to incorrectly process information 


with no particular checks and balances. It can potentially 
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corrupt databases unless the system is robust enough to’ 


withstand the challenges to system integrity. It also 
increases problems since access by other than _= select 
information system (IS) staff involves more than highly 
controlled operations or requests. 

Countermeasures. Personnel should be aware of the value 
of system assets. The value of information assets is rarely 
appreciated until it is corrupted or otherwise no longer 
accessible. To help protect these assets, the following 


general areas may be considered: (Jackson, 1990) 


e Background checks. 

e New Employee Indoctrination. 

e Statement of Security Responsibility. 
e Drug Testing. 


e Polygraph Testing. 


Some organizations with many distributed processing (DP) 
assets and networking facilities conduct a pre-employment 
background check. If an individual is processing critical or 
sensitive data, a program of periodic background checks is 
advisable. New employees should be indoctrinated into their 
responsibilities. Compliance with DP asset protection 
responsibilities must be mandatory, and should be considered 
a condition of continued employment. Responsibility must be 


assigned to the data user, owner, custodian, and management. 
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The establishment of an employee code of conduct can clearly 
delineate expected employee responsibility. (IBM, 1986) 

The concentration of data within an organization, such as 
accounting data, is a potential danger because it may allow 
realization of malicious purposes. Separation of data may not 
be practical. Satisfactory control can be gained by 
separating personnel who have access to the data during 
capture, processing, storing, and retrieval activities. This 
separation is labeled segregation of duties. 

Segregation of duties is a basic principle of internal 
control. The basic premise of segregation is that once data, 
processes, or duties are segregated, malicious intent can be 
realized only through collective efforts. Naturally, such a 
coordination of employees to exploit the system is difficult 
EO COOrdI nate: Additional segregation of duties can be 
applied to information systems development and operation 
activities. (Ahituv and Sadan, 1986) 

Because of the nature of network environments, management 
may want to place more emphasis on and exercise additional 
controls over job rotation and employee account restriction. 
Dual responsibility (two person integrity) provides further 
measures of security. (Rutledge and Hoffman, 1986) 

Legal issues. Management must consider the legal issues 
of personnel policy. For example, monitoring and privacy of 
electronic mail have been a subject of debate within the legal 


system. (Bequai, 1983) With end-user computing, employees may 
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develop their own applications. The organization must now 
consider who owns any patents, copyrights, licenses, and trade 
secrets. A contract between end-users and the organization 
can address these issues so that both understand their rights 
and responsibilities. (Pfleeger, 1989) These policies may be 
applied over all nodes of a_ system. The nodes may be 
distributed over a broad geographic area, each with its own 


culture or legal system. 


C. ENVIRONMENTAL CONTROLS 

Environmental threats as a group are the most visible and 
tangible threats. They can also be the most devastating. 
Accordingly, management is most often willing to commit 
resources to control these threats. As the distributed system 
extends across organizational, sites the chance for flire, 
water, and natural disaster damage increase. Environmental 
protection must satisfy two Objectives: preservation of 
physical assets and system availability. Most of the security 
measures used for the computer center need to be carried over 
into distributed systems. (Rutledge and Hoffman, 1986) The 
following environmental controls are primarily oriented to the 
protection of building and facilities. (IBM, 1987) 

Aiieecondi tioning. Air conditioning is employed to 
maintain temperature and humidity within system operating 
parameters. Large computing centers require special air 


conditioning equipment to meet stringent requirements. 
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Distributed system nodes such as work stations or intelligent 
terminals are designed to operate in office environments. If 
continued system operation is needed in the event of facility 
air condition system failure, consideration should be made for 
the installation of a backup system. 

Electrical power controls. Electrical power controls 
protect systems against power supply outages and fluctuations. 
Some common mechanisms are line conditioners, uninterruptible 
power supply (UPS) systems, and backup electric generators. 
(King, 1990) Both line conditioners and UPS systems filter 
commercial power by absorbing fluctuations and ensuring clean 
electrical power. UPS will also continue to supply 
electricity for a short time to safely operate equipment. 
During this period other backup power sources are invoked or 
equipment is shut off. Backup electric generators can be used 
not only to provide power to data processing equipment, but to 
other essential services such as lighting, chilled water, and 
air-conditioning systems. The high cost of installation and 
maintenance of these countermeasures, particularly for backup 
electric generators, must be justified by the degree of 
dependency of the data processing operations. (Jackson, 1990) 

Water. Computer systems are both dependent on and 
adversely effected by water. Water is used for cooling either 
through air conditioning or system components themselves. An 
interruption in supply normally leads to the system exceeding 


safe operating conditions. Undesired events such as leaks in 
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plumbing, air-conditioning, chilled water, or fire suppression 
systems must be anticipated. Thought should also be given to 
moor integrity, integrity, and under floor drainage 
capabilities. Prefitted waterproof covers or simple plastic 
sheeting located in equipment rooms iS a- valuable 
countermeasure Should water leakage occur. (Jackson, 1990) 

Lighting. The degree of lighting requirements within a 
particular facility is dependent on the need for continued 
operation in the event of power failure. If continued 
operation is needed, then the power requirements for adequate 
lighting must be considered when selecting backup power system 
Capacity. 

Fire controls. Centralized computing facilities use a 
variety of fire see and suppression techniques. 
Distributed system components, often located in office 
buildings, are partially protected by fire detection and 
automatic fire suppression systems normally required for such 
facilities. (King, 1990) The value of the equipment in any 
particular location will dictate whether it is economically 
feasible to install dedicated automatic systems that use CO, 
or Halon. Portable fire extinguishers are an excellent first 
line of defense in keeping small fires from spreading. 
Clearly labeled and visible extinguishers should be placed in 


centralized computer rooms, tape and disks storage areas, form 
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storage, and any other auxiliary machine rooms within the 
facility. (Jackson, 1990) 

Housekeeping. In a traditional centralized facility 
housekeeping measures emphasizes cleanliness and minimal 
flammable material (paper) storage within or near the computer 
room to reduce the risk of fire. Distributed system nodes 
within office spaces makes this approach difficult to 
implement. Where waste paper accumulates ‘SNe use of self 
extinguishing waste paper containers can be effective in 


reducing the fire threat. (Jackson, 1990) 


D. PHYSICAL ACCESS CONTROLS 

Physical access controls involve limiting access to system 
assets such as hardware, storage media, and documentation. 
End-user computing Supported by distributed systems 
necessitates increased access to system assets while the 
assets themselves are spread over 2 broad geographic area. 
These controls strive to allow authorized personnel access 
without excessive effort. 

The implementation of physical access controls must 
include the identification of areas where they may be 
practiced. Some possible areas unique to distributed systems 
are: (IBM, 1987) 

e Remote facilities whether located in the same building or 
in another site. 


e Communication link components. 
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e Common-carrier-provided equipment, links, and facilitiés” 


through which organizational data must be transmitted. 

e Network control center facilities that normally house all 
of the specialized network equipment for patching, 
monitoring, and testing network components. 

e Information center facilities that have been established 
as the focal points for helping end-users in the design 
and implementation of specialized department applications. 


e User required materials like operations manuals, floppy 
disks, and copies of licensed vendor supplied software. 


e Shared remote printer output areas. 


The centralized system approach to physical access 
controls emphasizes the placement of computer resources in 
limited access areas. This approach segregates assets such as 
computers, peripherals, removable secondary storage media and 
personnel. Distributed systems move assets into environments 
such as offices where limiting access to all components is 
neither practical or desirable. In these cases additional 
measures such as securing cables and locks on pilferable items 
provides added security. (Jackson, 1990) 

Unauthorized physical access requires knowledge of the 
asset’s existence. The visibility of critical system 
components must be limited. Avoid advertising the location of 
assets such as wiring closets or network file servers with 
external markings or signs. (Jackson, 1990) 

The required complexity of physical access controls can 
depend on the size of the organization and hours of operation 


at any particular node of the system. For small organizations 
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Simple measures may be appropriate since an unauthorized 
individual would be easily recognized. In larger 
organizations this approach is not practical and would require 
more formalized controls. Some methods that restrict access 
include: (McNurlin and Sprague, 1989) 
e Having a receptionist monitor access at the office 
entrance. 


e Using badges and color codes on badges to indicate 
authorization. 


e Signing passes for taking assets in and out of the 
facilicy. 

After working hours, physical access _— be further 
restricted since authorized user activity is low. Some 
heightened measures include locking doors and windows, having 
adequate night lights, and hiring a security service. While 
not authorized users, Seyet torial services are active after 
hours and require access to perform their functions. Of 
particular concern are the procedures used by the janitorial 
service. Though convenient to the janitors, unlocking several 
doors provides the opportunity for unauthorized personnel to 
gain access. The effective control of keys is an important 


part of physical access controls. (McNurlin and Sprague, 1989) 


E. LOGICAL ACCESS CONTROLS 
Access controls provide for the prevention of unauthorized 


use of assets. Unauthorized use includes the use of an asset 
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in an unauthorized manner. (COMNAVDAC, 1991) Access 
privileges are a function of three basic components. These 
components are defined as: (NCSC, 1987) 

e Subjects. An active entity, generally a person, process, 


or device that causes information to flow among objects or 
changes the system state. 


e Objects. A pasSive entity that contains or receives 
information. Access to an object potentially implies 
access to the information it contains. Examples of 


objects are: records, blocks, pages, segments, files, 
directories, directory trees, and programs, as well as 
bits, bytes, words, fields, processors, video displays, 
keyboards, clocks, printers, etc., (network resources) 
access rights (entry privileges). 


e Conditions for resource usage. 


By manipulating these three basic components, access 
control limits the rights or capabilities of a subject to 
communicate with other subjects. They can also limit access 
to functions or services within a computer system or network. 
(NCSC, 1987) 

Mechanisms providing logical access control may be 
structured in the form of lists, a matrix, a binary tree, or 
a more general hierarchical structure. In any form, access 
control mechanisms must contain information necessary to 


provide controlled access to network assets. (Muftic, 1989) 


Logical Segmentation. Logical access performs two types 
of segmentation. The first is the identification and 
verification of authorized users. The second is to limit 


Sie, 


authorized users access to only those resources required to 
accomplish assigned job functions. (IBM, 1987) 

Placing a value on information often facilitates grouping 
the information into classes. Multiple classes of information 
can be processed within or across several nodes of a system. 
The method of limiting access to resources by segregation must 
be part of the security plan. Five possible modes of system 
operation based on the classification(s) of information and 
access allowed are: partitioned, dedicated, multilevel, system 
high, and limited access. These modes of operation dictate 
the type of segregation employed and are defined as: (NCSC, 


1987) 


e Partitioned. A mode of operation wherein all personnel 
have the clearance, but not necessarily a formal access 
approval and need-to-know, for all information handled by 
the system. 


e Dedicated. The mode of operation in which the system is 
specifically and exclusively dedicated to and controlled 
for the processing of one particular type of 
classification of information, either for full-time 
operation or for a specific period of time. 


e Multilevel. The mode of operation that allows two or more 
classification levels of information to be processed 
Simultaneously within the same system when some users are 
not cleared for all levels of information present. 


e System High. The mode of operation in which system 
hardware and software is only trusted to provide 
discretionary protection between users. In this mode, the 
entire system, to include all components electrically 
and/or physically connected, must operate with security 
measures commensurate with the highest classification and 
sensitivity of the information being processed and / or 
stored. All system users in this environment must possess 
clearances and authorization for all information contained 
in the system. All system output must be clearly marked 
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with the highest classification until the information has 
been reviewed manually by an authorized individual to 
ensure appropriate classification and that caveats have 
been affixed. 


e Limited Access. A mode of operation relating to 
unclassified data only, clearances are not required, but 
access iS restricted to users with need-to-know. The 


control is provided by special access controls such as 

read/write keys, user Ids and passwords. 

These modes of operation are applicable to all systems no 
matter what the degree of system distribution. It is the 
mechanism to implement the mode of operation that becomes more 
complex as the degree of distribution increases. 

Distributed system design should include sufficient 
controls to defend themselves against access’ threats. 
Unfortunately, most systems are not considered sufficiently 
trustworthy to do so. Information systems not trusted to 
segregate information of various classification levels operate 
in the dedicated or system high mode. In such operation, all 
authorized users must have security clearances appropriate for 
the highest classification of data on the system though 
actual access may not include all system objects. Output from 
these systems is protected as though it contains the most 
highly classified information. Output must be reliably 
reviewed and its actual classification and sensitivity 
verified. (Neugent, 1989) 

Centralized/Distributed Control. Two basic designs exist 
for network logical access controls. Centralized access 


control involves a centrally managed and controlled network 
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monitoring and security system. A particular location or node 


provides system wide: 


e Access authorization management. 
e Issuance of user identification. 
e Password management. 


e Audit trail management. 


Under distributed access control, each node independently 
handles such requirements though a frequent information 
exchange process. Users having gained access on one node 
normally are accepted on other nodes of the system. Larger 
systems tend to employ architectures that are a combination of 
the two. (Lace, 1990; Browne, 1984) 

Effect of topology. The network topology determines how 
interconnect schemes will influence the ability to secure 
data. (Lace, 1990) An important factor in deciding on how to 
implement logical access control ina distributed environment 
is the topology of the system. The hierarchical or star 
topology favors central control. A star topology or 
hierarchical interconnect topology offers the best security 
control because the control can be centralized or constructed 
modularly. 

Other topologies favors distributed control and are 
characterized by a lack of an identifiable centralized node to 
provide access controls to the network. Architectures such as 


ring, mesh, or bus topologies, tend to disperse the control to 
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individual nodes. These topologies rely on exchanges of. 


information to maintain system integrity and security. (Lace, 
1990) 

Centralized control suffers in performance since all 
requests must first be passed to, processed by, and returned 
from the central node. Administrative overhead grows as the 
degree of access control increases, and as the system size 
increases. Distributed network control is weak in security 
policy enforcement. This deficiency stems from different 
security attributes available on each node. For example, data 
that is weakly protected on one node could be sent to another 
node, altered, and returned to the original without the 
originator knowing that this occurred. Thus, data integrity 
can be easily compromised unless detection and subsequent 
countermeasures are implemented. These measures could include 
host or user alternatives, such as port protection devices, 
and encryption/decryption devices. (Lace, 1990) 

Implementation. Implementation of logical access controls 
requires invoking good administrative procedures. These 
procedures must first identify the resources to be protected. 
They must identify each individual in the organization with a 
unique user identifier. Lastly, they must provide an 
authentication capability to verify that a user is really who 
he or she claims to be. These procedures may be accomplished 


by having each user represented to the system by: 
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e What the user knows - passwords. 

e What the user has - magnetic card or token. 

e What the user is - biometrics such as fingerprints, 
signatures, retinal scans. 

They may also be accomplished by providing’ an 
authorization scheme by which the resource owner has the 
responsibility: 

e To identify the users or user groups who may access the 
protected resources. 


e To identify the access authorization to be granted and 
assigning to each individual user or user group. 


e Of recording resource utilization. 
e Of taking appropriate management action to correct 


variances to normal behavior and to prevent future 
occurrences of violations. 


F. VIRUS CONTROLS 

Virus is defined as "Code that covertly replicates itself 
onto previously uncontaminated media without initiation by 
the operator of authorized users." (SECNAVINST, 1989) 
Replication usually occurs during copying of files to magnetic 
media, or during computer to computer communications. The 
code usually contains malicious logic that is triggered by 
some predetermined event. When triggered, the code then takes 
a hostile action against host computer systems. 

The issues surrounding malicious software such as computer 


virus are intriguing. It is important not to overlook the 
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fact that they are created by people. Hence, computer virus 
can be addressed a personnel problem. A virus is a tool used 
by people to extend and enhance their ability to create 
mischief and damage. Malicious software exploits the same 
vulnerabilities as can knowledgeable users. Thus, any steps 
taken to reduce the likelihood of attack by malicious software 
should address the likelihood of unauthorized use by computer 
users. (NIST, 1987) 

Controls based on system size. A distinction may be made 
between multiuser computers with associated networks and 
personal computers (workstations) with associated networks. 
(NIST, 1987) Virus prevention differs mainly in the 


following two respects: 


e The relative lack of technical controls. 

e The resultant emphasis this places on less technically 
oriented means of protection which necessitates more 
reliance on user involvement. 

Distributed systems based on personal computers or 
workstations typically do not provide technical control for 
such things as user authentication, access control, or memory 
protection that differentiates between system memory and 
memory used by user applications. The lack of controls 
permits users to share and modify software. Thus, small 
computer based systems are more prone to attack by viruses, 


unauthorized users, and related threats. (NIST, 1987) 
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Regardless of the size of the system, the following groups 


of efforts are useful in combating virus threats: (NIST, 1987) 


e General policies. 

e Software management. 

e Technical controls. 

e Monitoring and audit trails. 


e Contingency planning. 


Controls based on the degree of distribution. Virus 
prevention in the multiuser computer environment is aided by 
the centralized system and user management, and the relative 
richness of technical controls. Unlike personal computers, 
many multiuser systems possess basic controls for user 
authentication, for levels of access to files and directories, 
and for protected regions of memory. These controls are not 
adequate by themselves. Distributed systems can greatly 
reduce their vulnerabilities to attack when combined with 
other policies and procedures that specifically target viruses 
and related threats. (NIST, 1987) 

Types of controls. There are a number of different 
controls which can be implemented to prevent viruses or detect 


those that exist: (Phillips, 1990) 


e Use a "virus antibiotic program" on all new software. 
e Isolate new software until it is tested. 
e Know the origin of all software, don’t use unsealed 


software from unknown sources. 
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Be wary of download software, especially from public 
bulletin boards. 


Don’t let anyone put anything on a machine without 
authorization. 


Periodically check for reinfection. 
Use file/program checksum. 
Compare the length of programs regularly. 


When ever possible, boot from the hard disk, not a 
diskette. 


For diskette-only computers, always boot from the same 
write-protected diskette made from an original system 
diskette. 


Find and remove extraneous command.com copies from the 
hard disk. 


Use type domain mechanisms. 
Ensure proper password use. 
Use trusted system operating systems. 


Ensure purchased commercial software is in its original 
shrink-wrapping. 


Buy software only from reputable sources. 


Restrict access to systems programs and data on a need-to- 
know basis. 


Put software on CD-ROM. 

Backup your data files regularly. 

Write protect executable files. 

Encrypt executable files. 

Monitor the modification dates of programs and files. 
Use removable hard disks. 


On a hard disk system, never boot from an "imported" 
floppy. 
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® Do not keep diskettes inserted unless actively in use. 


e Inoculate program files with commercially available virus 
protection software. 


e Look for changes in volume labels. 
e Run suspect programs on unimportant diskettes. 
e Watch for changes in a systems’s operation. 


e Clear memory before and after running a confidential 
program. 


e Forbid employees to install unauthorized software on 
office computers or to take office software home for use. 


e Never attempt to isolate or remove a virus from a 
currently active computer. Boot froma "clean" diskette. 


e Remove from service all copies of a suspect program and 
immediately back up all related data. 


G. APPLICATION DEVELOPMENT CONTROLS 
Application development controls are a set of procedures 


to guide the development and maintenance of software used to 


store, manipulate, or communicate the  organization’s 
information assets. End-user involvement in application 
development has placed new demands on the process. Some of 


these demands are: 


e Greater demands of features, performance, flexibility. 
e Demand greater involvement in the development process. 
e Their acceptance of new systems more important. 


e May need to operate on different systems (hardware or 
operating systems) attached to the network. 
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Though satisfying immediate end-user demands, the — 
localized development of applications can lead to incompatible 
Gata. The close coupling of data to specific applications 
result in isolated islands of data. 

Countermeasures. Traditional application development 
controls consist of steps such as project phase reviews under 
a project control system, establishing standards, controlling 
changes, quality control, and library content control. 
Improved programming technology techniques like structured 
programming enhance software portability and maintainability. 
The auditing of applications to a set of expectations is also 
beneficial in maintaining compatibility across a distributed 
system. 

Organizations that choose to implement a distributed 
approach to applications development should also be prepared 
to support the new environment. Some items which should be 
considered for inclusion in guidelines are: 

® Acquiring only authorized software that meets 
organizational needs. 

e Documentation requirements for locally-developed code. 

e Rigorous change procedures. 

e Downloading of object code only from the host. 

e Testing and integration procedures for new applications. 

e Data backup and migration practices. 


e Documentation requirements for operation of the 
application. 
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e Requirements for logging application events. 

e Requirements for data integrity. 

e Requirements for auditing application results. 

e Requirements for logging of input/output errors. 


e Requirements for fault isolation and resolution. 


H. COMMUNICATION CONTROLS 

Distributed systems is defined in Chapter I by the 
presence of electronic communications between multiple nodes 
of a system. Telecommunications is identified in Chapter III 
as inherently insecure. (Menkus, 1990) The implementation of 
controls designed to protect communications is essential to 
maintain the integrity of a distributed system. Two groups of 
controls will be examined. They are cryptographic and dial-up 
conierols. 

The telecommunication process involves an origin, a 
destination, and the intervening transmission. Transmission 
is the aspect of telecommunications where the inherent 
weakness in most data communications security processes is to 
be found. Transmission is the most complex and unpredictable 
aspect of telecommunications. It is the unpredictability that 
created the weakness. (Menkus, 1990) 

Communications Security Approaches. All communications 
controls are classified as providing link oriented or end-to- 


end oriented services. Link oriented controls protect 
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information in transit on each discrete communication link 
between nodes. End-to-end controls protect information in 
transit from its source to its destination. These two 
approaches are implemented differently and provide different 
security services. (Rutledge and Hoffman, 1986) 
Cryptography. Cryptography involves rendering plain text 


unintelligible and for converting encrypted text into 


intelligible text. The implementation of cryptographic 
controls may be implemented in Several ways. Some examples 
are: 

e Link encryption. One physical communication link is 


protected by installing cryptographic devices on each end 
of the communications link. 


e Integrated cryptography. The node’s operating system 
controls the capacity to selectively encrypt information 
before transmission. 

e Application Software. Application software controls the 
Capacity to encrypt information. 

Cryptographic controls have two major limitations. First, 
encrypted information protection is limited to content 
disclosure. It is best used as a supplemental control to 
defeat disclosure of information threats for information both 
in transmission and in storage. Secondly, effectiveness of 
cryptography iS based on the quality of the selected 


encryption algorithm, cipher key generation, and cipher key 


protection. (IBM, 1986) 
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Cryptography may be used as both a link oriented control 
and an end-to-end oriented control in communications security. 
Link encryption requires each vulnerable communications link 
to be equipped on both ends with an encryption device. Both 
the information and system routing instructions are protected 
from contents disclosure during transmission. However, the 
information 1s vulnerable to disclosure within any 
intermediate node of the distributed system. (Stallings, 1990) 

End-to-end encryption involves the source encrypting the 
information that is transmitted across the distributed system. 
Since intermediate nodes may be involved, system routing 
information cannot be encrypted. The destination decrypts the 
information data by using a shared key. This approach 
protects the information from content disclosure both during 
transmission and while in any intermediate node but still 
suffers limitations. While information is safe from 
disclosure, the traffic pattern is not. 

Limitations of link oriented or end-to-end oriented 
cryptography may prevent either of the schemes from providing 
adequate protection. Security requirements may be better met 
by the combined use of these two schemes. By employing both 
forms of encryption, the origin encrypts the information to be 
transmitted using end-to-end encryption. During transmission 
link encryption is employed for each vulnerable communication 
link. Thus, during transmission the entire message is 


protected from disclosure. At any intermediate node, only the 
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system routing information is available, the remainder being 
protected by the end-to-end encryption. 

pat Up Controls. The ability to remotely access 
information systems increases system connectivity for the 
organization. Dial up ports can be accessed from anywhere in 
the world that is supported by common telephone networks. A 
system’s dial up ports, regardless of the degree of 
distribution, present a major access point to the system where 
threats may attack. In addition to the physical access 
mechanism, controls such as logical access must be employed to 
Maintain system integrity. (Troy, 1985) 

Dial-up controls are Beaeed on three primary functions. 
They are identification, audit trail, and brute force attack 
limits. User identification and authentication are the 
cornerstone of access controls. Audit trails are useful in 
identifying user difficulties and attempted intrusions. Brute 
force attack limits act by controlling the number of access 
attempts per connection session. These functions may be 
provided by node or network operating systems. External 
devices may also be employed if the systems are not capable of 
providing these functions. (Troy, 1985) 

The actual implementation of dial up controls can be at 
one or both ends of a potential communication link involving 
Gial up ports. One-ended protection approaches for dial up 
communications security employ controls at the host computer’s 


port. Port protection devices (PPD) are external to the 
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system and perform services before and independent of the 
system’s own access control functions. Primary features of a 


PPD include: (Troy, 1985) 


e Password tables. Provides password based access 
protection for the computer’s ports independent of any 
potential system password access control. 


e Dial-back to call originator. Provides a second level of 
user or port authentication beyond the standard PPD 
password table. A typical connection attempt might 
involve a user accessing the PPD and entering a password. 
The PPD ends the connection and validates the user. The 
PPD then returns a call to a predetermined number 
associated with the given password to establish a 
communications session. 


e Hiding the port’s existence. Several approaches may be 
used to mask the port against accidental discovery of the 
port’s existence. They include user terminal screen 


displays that are initially blank or ambiguous, require 

user knowledge of procedures to gain access to the systen, 

or even response by synthesized voice. 

e Audit trail of connection events. Provides the system 
administrator to review both user difficulties and 
unsuccessful attempts to access the port. 

Two-ended protection approaches for additional dial-up 
communication security may be employed when more positive 
identification of the specific terminal or user may be needed. 
The two-ended approach uses a device or software on each end 
of the communications link. These devices use complex 
algorithms uniquely associated with specific terminals or 
users. For user convenience algorithms may be embedded into 
integrated circuit chips encased in some form of "token" such 


as a plastic card. Others are embedded in the circuitry of 


system components providing communications services. This 
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approach avoids the user having to remember passwords. The 
added protection provided by two-ended protection devices no 
the dial-up communications network, however, must be justified 
against increased cost. (Troy, 1985) 

Backup telecommunication services. To enSure availability 
of critical communications services organizations typically 
employ two different approaches. The first is to acquire 
duplicate communications facilities. The second is to use 
alternate communications technologies that can be deployed in 
an emergency. Either of these approaches may be implemented 
by direct acquisition or as services provided by organizations 
that specialize in providing backup communications mechanisms. 


(McNurlin and Sprague, 1989) 


I. ELECTRONIC EMANATION CONTROLS 

Electronic emanations are signals transmitted as radiation 
through the air and conductors. Emanations security controls 
are measures deSigned to deny unauthorized access’ to 
information that might be derived from intercept and analysis 
of compromising emanations. This threat leads the United 
States Government to develop the TEMPEST (Transient 
ElectroMagnetic Pulse Emanation STandard) program and related 
technology. (COMNAVDAC, 1991) Due to cost and rigorous 
program requirements, TEMPEST technology is used primarily to 


protect classified information. Federal government, military, 
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and defense contractors are the primarily users. (Jackson, 
1990) 

Two traditional approaches are taken to prevent disclosure 
through emanations. The first employs shielding system 
components or entire computing facilities to trap signals. 
The second is the modification of emitted signals such as the 
addition of spurious’ Signals. Through shielding or 
modification of the emanations, adversaries are prevented from 
intercepting and interpreting electromagnetic emanations from 
computers, communications devices, and other electronic 
equipment. (Jackson, 1990) 

Electronic communications used by distributed systems 
complicates emanations security. Wire communications media 
are subject to passive wiretapping. Microwave signals are 
transmitted through the air, and are susceptible to monitoring 
anywhere along the signal path. Satellite communications pose 
even greater potential for interception. In each case the 
volume of information transmitted makes separation of 
individual transmissions difficult. Link or end-to-end 
oriented communications controls provide additional assurances 


of maintaining system integrity. 


J. CONTINGENCY PLANNING AND BACKUP CONTROLS 
Contingency planning and backup controls are frequently 
included as part of organizational controls. A list outlining 


components of contingency plans is included in Appendix C. 
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These plans must address actions to be taken if processing 
centers or support facilities were to face a catastrophic 
event. Management must recognize that centralizing processing 
into one or a few centers may be a high security risk. If a 
successful threat attack wipes out a centralized facility, the 
organization could suffer losses even when provisions have 
been made for a backup center. (McNurlin and Sprague, 1989) 

Distributed systems increase the total risk an 
organization faces. Yet, its geographically dispersed nodes 
and electronic connection also provides a unique 
countermeasure to avoid catastrophes. Multiple nodes present 
in distributed systems can provide higher overall reliability 
and availability than centralized mainframes. 

Organizations which use distributed systems as part of 
their disaster recovery program perform critical processing 
functions locally rather than centrally. The distribution of 
processing permits operations to continue uninterrupted at all 
other nodes of the system when one is successfully attacked. 

Hardware and application selection to these organizations 
becomes critical. Often they are standardized so that each 
node is capable of serving as a substitute for any other node. 
The arrival of industry open system architectures and families 
of compatible systems has helped to lessen this requirement. 
The cost of security by redundancy must be viewed against the 
criticality of any particular process or information. 


(McNurlin and Sprague, 1989) 
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V. SECURING DISTRIBUTED SYSTEMS 


Commitment by organizational management is critical for 
the success of a computer security program (Powell, 1990). 
Management must be made aware of the impact of threats against 
the organization’s assets such aS compromise of national 
security, media attention, monetary loss, or legal liability 
(Wood, 1990). There are two elements in managing computer 


security. They are: 


e Risk Management. 


e Developing a security plan. 


Figure 8 displays a general model of protecting assets 
from threats. The importance of any particular layer of 
controls (identified in Chapter IV) is dependent on the 
particular environment in which a distributed system exists. 
In this model, system assets are protected by the cumulative 
efforts of all controls implemented. 

Another model, depicted in Figure 9, is based on the 
functionality of controls displaying the relationship between 


threats, vulnerabilities, and assets. 
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Figure 8 
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Figure 9 Functionality of controls. 
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A. RISK MANAGEMENT AND SECURITY PLAN 
Risk management may be either qualitative or quantitative. 
(Palmer, 1990) There are four strategies when addressing risk 


control. They are (Pfleeger, 1989): 


e Risk avoidance. Avoid or prevent loss. 


e Risk reduction. Minimize the potential for successful 
attack. 


e Risk transfer. Move critical functions to systems already 
protected. 


e Live with it. Risk acceptance with a contingency plan in 
event of successful attack. 

Applied to distributed systems, risk management is the 
process of identifying, measuring, and minimizing uncertain 
events affecting system Beacte: Risks can differ greatly from 
one organization to another depending on its activities. (IBM, 
1987) Even within an organization, different nodes of a 
distributed system may exist in unique environments and 
require individual attention. Risk management includes the 


following functions: (COMNAVDAC, 1991) 


e Risk analysis. 

e Cost benefit analysis. 

e Safeguard selection. 

e Security test & evaluation. 
e Contingency planning. 


e Systems reviews. 
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The purpose of risk analysis is to establish and maintain 
the most cost effective controls which provide an acceptable 
level of security. It iS an orderly process rooted in 
management practices. Reasons to perform risk analysis 


identified by (Pfleeger, 1989) are: 


e Improved security awareness. 
e Identify existing assets, vulnerabilities, and controls. 
e Improved basis for decisions. 


e Justify expenditures for security. 


Several different schemes exist for performing risk 
analysis. Each scheme follows the same basic steps. These 


steps identified by (Pfleeger, 1989) are: 


e Identify assets. 

e Determine vulnerabilities. 

e Estimate likelihood of exploitation. 

e Compute expected annual loss. 

e Survey application controls and their costs. 


e Project annual savings of control. 


The selection of possible controls should involve more 
than just a cost benefit analysis. The feasibility of each 
control may be determined by examining three factors. These 
three factors are economic feasibility, technical feasibility, 


and operational feasibility. (Browne, 1979) 
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e Economic feasibility. Traditional cost benefit analysis of 
the value gained by the organization from the control 
against the cost of implementing the control. 

e Technical feasibility. An organization must possess the 
technical capability to manage the control. Industry must 
possess the technical capability to provide and maintain 
emee control. 

e Operational feasibility. How the control will influence 
the operation of the organization. 

Different nodes of a distributed system may select 
different controls for the same threats against identical 
assets based on these three factors. 

Risk analysis is the study of the risk of some action. It 
is the first step in identifying threats, assets, and controls 
for any system. The risk analysis results are then used as 
the basis for developing a comprehensive security program. 

A security plan 1S a comprehensive guide of an 
organization’s security activities. The plan is both a 
description of the organization’s current security posture and 
blueprint for change. (Bynon, 1990) It is an organization- 
wide policy statement by the highest levels of management. 
This policy sets the overall goals and provides a set of 
benchmarks for measuring achievement. Supporting documents 
and instructions provide more detailed and environment 
specific objectives. So. eee security "plans" are a 
collection of controls added on a piecemeal basis without 


consideration for the overall threat. (Browne, 1979; IBM, 


1987) 
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The contents of a security plan is specific for a 
particular organization as it expresses its goals. A security 
plan must also be justifiable in terms of cost and potential 
impact on the organization. (Tate, 1988) A simple return on 
investment approach may not fully identify benefits derived 
from a security program. Consideration must be given to less 
tangible services such as the integrity of information used by 
management to make decisions. A comprehensive plan can also 
be used to an organization’s competitive advantage such as 
increasing customer confidence. (Wood, 1991) The plan is 
subject to periodic review and revision as the security needs 
of the organization change. (Jackson, 1990) General areas 
that every security plan must address are: (Pfleeger, 1989; 
Bynon, 1990; Stephenson, 1991) 

e Policy. A statement iciteacina the goals of a computer 
security effort and the willingness of personnel to work 
to achieve those goals. 


e Current state. A description of the status of security at 
the time of the plan. 


e Recommendations. Steps that will lead to meeting the 
security goals identified previously. 


e Accountability. A listing describing who is responsible 
for each security activity. 


e Timetable. A record identifying when different security 
functions are to be done. 


e Continuing attention. A statement specifying a structure 
for periodic review and revision of the security plan. 
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When establishing a security plan, select those items 
identified under risk management which provide the greatest 
visible benefit for the least cost. Initial success of the 
plan will bolster management support. As the organization 
matures in its security posture, less overt emphasis on 
security will be required. General awareness of security 


issues become integral in corporate culture. 


B. TRUSTED COMPUTER BASE (TCB) 

The Department of Defense (DOD) has played a lead role in 
the evolution of computer’ security. Six underlying 
requirements have directed DOD efforts in secure computer 


systems. They are identified (NCSC, 1985) as: 


e Security policy. There must be an explicit and well- 
defined security policy enforced by the system. 


e Identification. Every subject must be uniquely and 
convincingly identified. Identification is necessary so 
that subject/object access request can be checked. 


e Marking. Every object must be associated with a "label" 
that indicates the security level of the object. The 
association, which is also known as "marking" the object, 
must be done so that the label is available for comparison 
each time an access to the object is requested. 


e Accountability. The system must maintain complete, secure 
records of actions that affect security. Such actions 
include introduction of new users to the systen, 
assignment or change of the security level of a subject or 
an object, and denied access attempts. 


e Assurance. The computing system must contain mechanisms 


that enforce security, and it must be possible to evaluate 
the effectiveness of these mechanisms. 
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e Continuous protection. The mechanism that implement 
security must be protected against unauthorized change. 
Based on these six requirements, the DOD has developed a 

set of theoretically based standards. They define levels of 
information security in terms of function and assurance. 
These standards are published in the document called Trusted 
Computer System Evaluation Criteria, TCSEC, otherwise known as 
"The Orange Book" (DOD-5200.28-STD). (Lorin, 1988) Tne slew 
of trust required by specific system environments is described 
in the "Computer Security Requirements -- Guide for Applying 
the DOD TCSEC in Specific Environments" (CSC-STD-003-85). 
The private sector has become more concerned as a result 
of increased instances of computer intrusion. As the DOD, the 
private sector has become increasingly dependent-= on 
information processing assets. Any increase in dependency on 
any particular asset increases the potential impact of that 
asset being attacked. It has also been pressured by the 


government for the concern that private-sector data represents 


a national resource. Fifteen factors driving the civilian 
computer security market are identified by Wood (1990). They 
are: 


e Media attention. 
e External auditor comments. 
e Insurance premium rating. 


e Information system expenditures. 
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e Personal liability. 

e Government laws and regulations. 

e Military research. 

e Elastic demand curve. 

e New technologies outstrip controls. 
e System interconnection. 

e System integration. 

e Distributed data processing. 

e Computer literacy. 

® Commodity platforms. 


e Security standards. 


Most large general purpose information systems, including 
distributed systems, support multiple subjects’ (users) 
accessing multiple levels of object (data) classification. 
Strict limits on users access rights must be defined. 
Further, there must be no method for violating these limits. 
(Lorin, 1988) 

The alternative to multi-subject, multi-level object 
systems is the employment of dedicated systems for each level 
of information classification. The premise of this scheme is 
physical isolation to improve information security. Oehaeless 
scheme becomes unmanageable for large systems where it would 
result in the proliferation individual systems and associated 
assets. While the information held on any one system may be 


more secure, the overall organization is less secure because 
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larger populations must be trusted. The interconnection of 
computers makes the concept of physical security at a single 
system inadequate to address the security issue. (Lorin, 1988) 

Some researchers extending TCSEC to trusted distributed 
systems maintain that there is little intrinsic difference in 
the assurances required from a trusted stand-alone system. In 
each case, access control policy dictates all allowed access 
between each subject and each object on the system. Formal 
verification is used to provide assurance about system 
compliance to the access control policy (Schaefer, 1985). 
Other researchers feel that a disproportionate amount of 
effort is placed in ensuring access control of classified data 
while not properly addressing information integrity. (Clark 
and Wilson, 1990) 

TCSEC has been formally extended to distributed systems by 
the DOD National Computer Security Center (NCSC). The ensuing 
document is called Trusted Network Interpretation (TNI), 
otherwise known as "The Red Book". TNI uses the term network 
to represent all types of distributed systems. Accreditation 
is the managerial authorization to operate a system which has 
been proven to be in compliance with TCSEC requirements. TNI 
recognizes two means of accrediting networks. Systems can be 
viewed as a collection of independent nodes which are created, 
managed, and accredited through a joint approval process. 
Alternatively, a network can be treated as a single system and 


accredited as a single entity. (Lance, 1990) 
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Through interpreting the TCSEC for networks, TNI contains 
all of the criteria in the TCSEC and adds rationale to 
applying trust technology to network systems. As with TCSEC 
itself, the interpretation has been prepared to provide 
guidance over three areas. As listed in the TNI they are: 

e To provide a standard to manufacturers as to what security 
features and assurance levels to build into their new and 
planned, commercial network products in order to provide 
widely available systems that satisfy trusted requirements 
for sensitive applications. 

e To provide a metric by which to evaluate the degree of 
trust that can be placed in a given network system for 
processing sensitive information. 

e To provide a basis for specifying security requirements in 
acquisition specifications. 

TNI is presented in two parts. Part I is the direct 
interpretation of TCSEC for network systems. The specific 
security features, assurance requirements, and the rating 
structure of the TCSEC are extended to networks of computers 
ranging from isolated local area networks to wide-area 
internetwork systems. The primary emphasis of Part I, as 
TCSEC, is controlling access to information. 

The procedure for determining the minimum security 
requirements for a network parallels the procedure for a 
stand-alone system. The procedure for computing the risk index 


contains six major steps (DODD 5200.28 Enclosure (4)). These 


steps are listed as: 
1. Determine system security mode of operation. 
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2. Determine minimum user clearance or authorization rating. 
3. Determine maximum data sensitivity rating. 
4. Determine risk index. 


5. Determine minimum security evaluation class for computer- 
based controls. 


6. Determine adjustments to computer security evaluation 
class required. 

The risk index is used to determine which NCSC-evaluation 
ratings is required of the system to provide adequate security 
aS minimum requirements. 

TNI Part II contains additional network security concerns 
Such as communications integrity, denial of service, and 
transmission security. TNI Part I does not describe all the 
security requirements that may be imposed on a network. 
Depending upon the particular environment, other measures may 
be required. Examples of the functionality of security 


services are (NCSC, 1990): 


e Authentication. 

® Communications field integrity. 
e Non-repudiation. 

e Denial of service. 

e Protocol based DOS protection. 
e Network management. 

e Data confidentiality. 

e Traffic flow confidentiality. 


e Selective routing. 
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These concerns differentiate the network environment from 
the stand-alone computer. Some concerns take on increased 
Significance in the network environment while others do not 
exist on stand-alone computers. Many are outside the scope of 
Part I or lack theoretical and formal analysis. The criteria 
in this Part II addresses these concerns as additional 
security requirements that may vary among applications. 

TNI Part II security requirements describe qualitative 
evaluations of security services in terms of functionality, 
strength of mechanism, and assurance. The fact that Part II 
services have not been supported by equally well developed 
theories and detailed evaluation criteria should not be 
interpreted to imply that their security problems do not have 
to be evaluated as rigorously as TNI Part I. | 

The Trusted Network Interpretation (TNI) Environments 
Guide (TNIEG) addresses many issues needed to achieve the 
level of trust required in different network environments. It 
complements the TNI, just as the Trusted Computer System 
Evaluation Criteria (TCSEC) Environments Guide complements the 
RCSEC. It is an evolving document which advances as 
technology and experience is gained in implementing trusted 
networks. This document applies to networks that are 
entrusted with the processing of information, regardless of 
whether that information is classified, sensitive, or 


otherwise relevant to national security. 
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VI. CONCLUSIONS AND RECOMMENDATIONS 


The primary research focus was on identifying aspects of 
computer security unique to distributed systems. This study 
was designed to help managers gain an appreciation for 
security issues faced in distributed environments. Security 
goals related to distributed systems were identified in 
Chapter I. These goals were derived from a wide range of 
literature sources. These must be combined with other 
objectives applicable to stand-alone systems to achieve an 
overall security plan. 

It is interesting to note strong similarity between the 
security goals listed in Chapter I and goals of the highly 
formalized TCSEC security program. It is also interesting to 
compare the impact of organizational culture on the 
implementation of security programs. Vast differences are 
seen in the actual security programs stemming from similar 
goals. 

Characteristics of distributed systems are and why they 
differ from stand-alone systems were introduced in Chapter II. 
The differences were the underlying causes of the security 
goals posed in Chapter I. 

Chapter III assisted in identifying system assets. A list 


of possible assets iS provided in Appendix A. It also 
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discussed the nature of threats to systems which possess 
characteristics associated with distributed systems. eeptes 
IV covered a broad scope of countermeasures which may be used 
to protect distributed systems. It provides the basic tools 
used in securing distributed processing. Again, this was not 
a complete list, but rather focused on those countermeasures 
applicable to distributed systems. 

The general mechanism to secure distributed systems was 
outlined in Chapter V. This approach involved risk management 
and developing a security plan. There is no optimal solution 
to designing a security system for a distributed system. The 
level of security depends on the perceived threats and the 
risks ina particular environment. The environment faces by 
distributed systems can be much more diverse than stand-alone 
systems. Risk assessment is required to evaluate and select 
security measures. Yet the impact of these controls must be 
considered against the objectives and operating practices of 
the organization. A balance must be established between tight 
controls which may adversely impact operations of the 
organization against loose Pett vois which result in security 
problems. As an example of a security program, the DOD’s 
highly structured and theoretically researched TCSEC is 
presented for evaluation. 

Regardless of the complexity of the network environment, 
security remains a management issue, not a technological one. 


Prudent management, therefore, will take advantage of the 
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knowledge that the potential for loss ina network environment 
is greater that in any other. They must implement a security 
plan in advance of installing a distributed system and review 
the specific controls as the system expands. It is a matter 
for management to design a security plan that applies to their 
unigue organization. Management must then emphasize the need 
to abide by their plan throughout the organization, and follow 


it up to ensure that the plan is invoked as prescribed. 
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APPENDIX A (INFORMATION SYSTEMS ASSETS) 
Eight Asset Categories: 


1. Hardware 
e Central Machine 

CPU 
Main memory 
I/O Channels 
System Operator’s Console 
Component boards 
Keyboards 
Monitors 
Terminals 
Cables 
Connections 


e Workstations 
e Microcomputers 


e Storage medium 

Magnetic Media 
Disk pack 
Magnetic tapes 
Diskettes (floppies) 
Cassettes 
Drums 

Nonmagnetic media | 
Punch cards 
Paper tape 
Paper printout 


e I/O Devices 
User directed I/O devices 
Printer 
Card reader 
Card punch 
Paper tape reader 
Terminals - local or remote 
Storage I/O devices 
Disk drives 
Tape drives 
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e Communications equipment 
Communications lines 
Communications processors 
Controllers 
Multiplexers 
Switching devices 
Telephones 
Cables 
Modems 
Encryption Devices 


e Special Interface Equipment 
Network front ends 
Intelligent controllers 


2. Software 
e Operating System kernel 


e System Utilities 
e System Programs (compilers) 


e Programs 
Applications 
Standard application/operating programs 
Test programs 
Communications programs 
Source Programs 
Object Programs 
Maintenance diagnostic programs 


3. Information (Data) 
e Data in execution 


e Data in Storage 
On magnetic medial 
Printed data 
Archival 

e Data in Transmission 


e Audit records 


76 


e Multilevel classification 
Level I - Classified 
Top Secret 
Secret 
Confidential 


Level II - Sensitive Unclassified 

Privacy Act data 

Sensitive Business data 

For official use only (FOUO) 
Financial 
Sensitive Management 
Proprietary 
Privileged 


Level III - Unclassified 
All other 


4. Facilities 
e Environmental systems 
Air-conditioning 
Power 
Water 
Lighting 
e Building 


e Computer facility 
Computer room 
Data reception 
Tape / disk library 
Customer engineer room 
I/O area 
Data preparation area 
Physical plant room 

e Backup equipment 
Auxiliary power 
Auxiliary environmental controls 
Auxiliary supplies 

e Supplies 
Magnetic media 
Paper 
Ribbons 
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5. Personnel/Human Resources 


e Computer Personnel 
Supervisory personnel 
Systems analysts 
Programmers 

Applications programmers 
Systems programmers 
Operators 
Librarian 
Security officer 
Maintenance personnel 
Temporary employees 
Consultants 
System evaluators and auditors 
Clerical personnel 


e Building personnel 
Janitors 
Guards 
Facility engineers 
Installation management 


6. Administrative/Operating Procedures 


®e Operations 
Schedules 
Operating guidelines and manuals 
Audit documents 


e Procedures 
Emergency plans 
Continuity of Operation Plans (COOP) 
Disaster Recovery Plans 
Security procedures 
I/O procedures 
Integrity controls 


e Inventory records 
® Operational procedures 
Vital records 


Priority run schedule 
Production procedures 
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7. Documentation 


Software 
Hardware 
File 
Program 
JCL 
system 


8. Supplies 


Magnetic media 
Paper 

Ribbons 

Forms 

Printer fluid 
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APPENDIX B (MAGNETIC MEDIA CONTROL) 


Media marking 
e Marked to accurately reflect the sensitivity of the 
information. Marking may be performed manually or 
automatically. 


e Label storage media to reflect: 
- The sensitivity level of the information they 
contain. 
- Date of creation and destruction. 
- Unique identification number. 
- Creator or user. 


e color coding. Color coding of magnetic media or 
components shall comply with standard color codes for 
classified material. 


Storage 
e Media and containers. Media and containers should be 
marked/protected to the highest security classification 
level or most restrictive category of information stored 
on media until the media is declassified 
(degaussed/erased) Oe the informa easom 
declassified/downgraded. 


e Inventory Control. 


e Access Control. Physical access to media in storage is 
often overlooked. A strong tendency is to protect the 
system while not providing equal measures EOL 
backup/stored data. 


Destruction 
e Destroy storage media in accordance with the 
organization’s security provisions. 


e Educate users to the proper methods for erasing or 
destroying storage media. 


e Degaussing. Demagnetizing magnetic storage media 
(reduce magnetic flux to zero applying (coercive) magnetic 
force). 
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e Clearing vs. Declassification. 
- Clearing procedure. Accomplished by the overwrite 
of classified or sensitive material. Since the 
totality of declassification is lacking, cleared 
medial should not be released to subjects lacking 
access rights to the original material. 


- Declassification procedure. Accomplished by the 
obliteration of classified or sensitive material. 
Proper inventory control records will denote 
Geclassification events. The declassified media is 
releasable without restriction. 


e Emergency destruction.. Addressed as policy in risk 
management and contingency planning programs for the 


intentional mass destruction of media and other material 
Which are classified or sensitive. 


Media security 
e Protect and secure information system storage media. 


e Maintain, control, and audit storage media inventories. 
e Password protection. 
e Removable media. 

- Encourage use of removable, securable data storage 


systems. 


- Avoid fixed hard disks, especially if the system is 
used for classified applications. 


e Control of printer ribbon. Control at the highest level 

of information printed. The ribbon should be retained in 

printer for life-cycle if physical controls permit. 
Accountability 

e Publicize procedures and policies to staff. 

e Ensure that access for storing, transmitting, marking, 


handling, and destroying storage medial is granted only to 
authorized persons. 
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APPENDIX C (CONTINGENCY PLANNING AND BACKUP) 


Contingency Plan Outline: 


Introduction 
Purpose 
Objectives 
- Considerations 
- Assumptions 
= SC ruc eure 


Preparations 
~ Applications 
- Critical Processing Lists 
- Application Backup 
- Support agreement(s) 


Emergency Actions 
- Minimize the impact 
Protect life and property 
Minimize disruption to information system operation 
- Backup operations 
- Develop backup procedures 
- Maintain backup copies of application programs data 
files, and supporting documentation. 


Recovery operations 
- Develop plans to permit rapid restoration of 
information system facility operations 


Perform required periodic testing 


Contingency Plan testing 
~ Not always time for response to read procedures 
- Most critical aspect of successful planning 
- Conduct frequent tests to maintain readiness 
- Minimally, plans will be tested once annually 
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